A user submitted a suspicious link that was present in his website as a hidden iframe. Malicious hidden iframes are mainly inserted into HTML pages of legitimate websites, by hackers that want to spread their malware with the objective of infecting all the users that visit the compromised website and in most of the cases, its possible that the hackers have infected every file of the website, or they have installed a malicious URL redirect to another website that hosts exploits for commonly used web browsers.

Shared Hosting:
Your website is hosted in a shared-host, and if an hacker has compromised one website hosted in the same cluster as yours, the hacker can infect ALL the websites present, yours included.

Now lets see what would happen if you had visited the infected website with the hidden malicious iframe. The malicious hidden iframe looks like:

After I browsed the malicious url I was redirected to another website that contains a PDF exploit:

The file C:\Documents and Settings\user\user.exe had +H (Hidden) attribute and was hidden from explorer search. A DLL file named crypts.dll was injected in explorer.exe and the file named user.exe created a new registry key to be able to startup everytime Windows starts:

1

HKCU\...\Run\user.exe

HKCU\...\Run\user.exe

During the analysis, the malware established various connections with different domains and IPs:

The first action that the system administrator needs to do is to remove the malicious hidden iframe code from all HTML pages, and then check the logs and code of installed PHP scripts to find the presence of possible vulnerable code. It is very important to change all the usernames and passwords for all the accounts present in the server.